CVE-2022-30586

CVE-2022-30586 affects Gradle Enterprise up through version 2022.2.2, where Incorrect Access Control can lead to code execution. The advisory notes a high-severity impact (CVSS 3.1 base score 7.2) with network access and no user interaction required, and the root cause is access-control weakness ...

Gradle 信息泄露漏洞

Gradle is a suite of JVM-based project build tools from Gradle, Inc. that supports maven, Ivy repositories, and more. A security vulnerability exists in Gradle Enterprise version 2022.2.2 and prior versions, which stems from incorrect access control and leads to information disclosure...

Gradle 信息泄露漏洞

Gradle is a set of JVM-based project build tools from Gradle Inc. that supports maven, Ivy repositories, and more. An information disclosure vulnerability exists in Gradle Enterprise version 2022.2.2 and prior versions, which stems from incorrect access control and leads to code execution...

PT-2022-20192 · Gradle · Gradle Enterprise

Name of the Vulnerable Software and Affected Versions: Gradle Enterprise versions 2022.2.2 and earlier Description: The issue is related to Incorrect Access Control, which can lead to information disclosure. Recommendations: For Gradle Enterprise versions 2022.2.2 and earlier, update to a version...

PT-2022-20191 · Gradle · Gradle Enterprise

Name of the Vulnerable Software and Affected Versions: Gradle Enterprise versions through 2022.2.2 Description: The issue is related to Incorrect Access Control, which can lead to code execution. Recommendations: For Gradle Enterprise versions through 2022.2.2, update to a version later than...

Zap-Scripts - Zed Attack Proxy Scripts For Finding CVEs And Secrets

Zed Attack Proxy Scripts for finding CVEs and Secrets. Building This project uses Gradle to build the ZAP add-on, simply run: ./gradlew build in the main directory of the project, the add-on will be placed in the directory build/zapAddOn/bin/. Usage The easiest way to use this repo in ZAP is to a...

Cross-site request forgery vulnerability in Jenkins Artifactory Plugin

A cross-site request forgery vulnerability in Jenkins Artifactory Plugin 3.2.2 and earlier in ReleaseActiondoSubmit, GradleReleaseApiActiondoStaging, MavenReleaseApiActiondoStaging, and UnifiedPromoteBuildActiondoSubmit allowed attackers to schedule a release build, perform release staging for...

GHSA-VP55-FHXX-VCX8 Maven Extension plugin for Gradle Enterprise vulnerable to Deserialization of Untrusted Data

An issue was discovered in the Maven Extension plugin before 1.6 for Gradle Enterprise. It is vulnerable to, in the worst case, Remote Code Execution, and in the general case, local privilege escalation. Internally, the plugin uses a socket connection to send serialized Java objects that are...

Maven Extension plugin for Gradle Enterprise vulnerable to Deserialization of Untrusted Data

An issue was discovered in the Maven Extension plugin before 1.6 for Gradle Enterprise. It is vulnerable to, in the worst case, Remote Code Execution, and in the general case, local privilege escalation. Internally, the plugin uses a socket connection to send serialized Java objects that are...

Exposure of Sensitive Information in Gradle publish plugin

All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is public...

GHSA-CV78-V957-JX34 Exposure of Sensitive Information in Gradle publish plugin

All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is public...

Use of a weak cryptographic algorithm in Gradle

The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900...

GHSA-HHR2-F668-FF2W Use of a weak cryptographic algorithm in Gradle

The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900...

gradle: repository content filters do not work in Settings pluginManagement

In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies...

gradle: local privilege escalation through system temporary directory

In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreatin...

gradle: information disclosure through temporary directory permissions

In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded...

com.bugvm:bugvm-compiler (>=1.0.0 <=1.1.5), com.carrotsearch.randomizedtesting:ant-junit4 (>=0.0.3 <=0.0.4) +58 more potentially affected by CVE-2017-1000190 via org.simpleframework:simple-xml (>=2.1.3 <=2.7)

org.simpleframework:simple-xml MAVEN version =2.1.3, =1.0.0, =0.0.3, =1.0.0, =1.0.0, =1.0.0, =0.0.1, =1.0.22, =2.3.1-ios11, =1.0.2, =1.0.1, =1.1.0.1 and more Source cves: CVE-2017-1000190 Source advisory: OSV:GHSA-F5QF-VH69-9Q4R...

com.github.kulya:jmeter-gradle-plugin (>=1.3.1-2.6 <=1.3.4-2.9), com.lazerycode.jmeter:jmeter-maven-plugin (>=1.4 <=1.8.1) +4 more potentially affected by CVE-2018-1297 via org.apache.jmeter:ApacheJMeter (>=2.6 <=3.3)

org.apache.jmeter:ApacheJMeter MAVEN version =2.6, =1.3.1-2.6, =1.4, =1.0.7-3.0-BETA, =1.0.7-3.0-BETA, =6.3.0, =6.2.0, =6.6.0 Source cves: CVE-2018-1297 Source advisory: OSV:GHSA-7V85-6HV2-RWGW...

com.github.kulya:jmeter-gradle-plugin (>=1.3.1-2.6 <=1.3.4-2.9), com.lazerycode.jmeter:jmeter-maven-plugin (>=1.4 <=1.8.1) +4 more potentially affected by CVE-2018-1287 via org.apache.jmeter:ApacheJMeter (>=2.6 <=3.3)

org.apache.jmeter:ApacheJMeter MAVEN version =2.6, =1.3.1-2.6, =1.4, =1.0.7-3.0-BETA, =1.0.7-3.0-BETA, =6.3.0, =6.2.0, =6.6.0 Source cves: CVE-2018-1287 Source advisory: OSV:GHSA-J7J7-G4WW-PXG5...

GHSA-PPRQ-4488-WGQX Insecure transport protocol in Gradle

Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are used. Dependency artifacts could have been maliciously compromised by a MITM attack against the ajax.googleapis.com web site...